Full Disclosure mailing list archives
RE: Probable new MS DCOM RPC worm for Windows
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Thu, 25 Sep 2003 09:20:00 -0500
-----Original Message----- From: Richard Johnson [mailto:rnews () whirlpool river com] Sent: Wednesday, September 24, 2003 10:03 AM To: full-disclosure () lists netsys com; incidents () securityfocus com Subject: Re: Probable new MS DCOM RPC worm for Windows We finally had infections occur on Tuesday evening showing the same scan behavior. Sysadmins doing cleanup report Norton and McAfee IDed the bug as W32.Welchia. I don't know whether it was a variant using one of the two new RPC holes, or just month-old Welchia. That's because the hosts hit were traditional non-compliant lab machines and non-adminned remote office or home hosts. In other words, they were still vulnerable to the original blaster worm.
I'm thinking that there *has* to be a variant of Nachi/Welchia in the wild. We have machines that were patched for MS03-026 (verified by scanning with multiple scanners) but not patched for MS03-039 (ditto) and they have been infected by something that triggers my Nachi rule in snort. This should *not* be possible with the "original" Nachi/Welchia, so my assumption is that either something new has been released or the worm has mutated somehow. Mind you, this is anecdotal and a very small incidence (only three machines so far), but it still bears watching IMHO. I've been surprised to not see any discussion on the lists about a new variant. Perhaps no one is looking? Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Probable new MS DCOM RPC worm for Windows Richard Johnson (Sep 20)
- Re: Probable new MS DCOM RPC worm for Windows phlox (Sep 20)
- Re: Probable new MS DCOM RPC worm for Windows Richard Johnson (Sep 24)
- <Possible follow-ups>
- RE: Probable new MS DCOM RPC worm for Windows Schmehl, Paul L (Sep 25)
- Re: RE: Probable new MS DCOM RPC worm for Windows Cael Abal (Sep 25)
- Re: RE: Probable new MS DCOM RPC worm for Windows Gregory A. Gilliss (Sep 25)
- RE: Probable new MS DCOM RPC worm for Windows Derek Vadala (Sep 25)
- Re: RE: Probable new MS DCOM RPC worm for Windows Exibar (Sep 25)
- Re: RE: Probable new MS DCOM RPC worm for Windows Cael Abal (Sep 25)
- RE: RE: Probable new MS DCOM RPC worm for Windows Robert Ahnemann (Sep 25)
- RE: Probable new MS DCOM RPC worm for Windows Williams Jon (Sep 25)
- Re: RE: Probable new MS DCOM RPC worm for Windows Paul Farrow (Sep 25)
- Re: RE: Probable new MS DCOM RPC worm for Windows Jordan Wiens (Sep 25)
- SV: RE: Probable new MS DCOM RPC worm for Windows Peter Kruse (Sep 25)
- Re: RE: Probable new MS DCOM RPC worm for Windows Paul Farrow (Sep 25)
- RE: RE: Probable new MS DCOM RPC worm for Windows Schmehl, Paul L (Sep 25)
(Thread continues...)